Purdue prof schools law enforcement on Mac “cyber forensics”

With Apple's market share increasing, forensic investigators are being called …

Dr. Marc Rogers, Director of Cyber Forensics at Purdue University, is leading a three-day crash course for law enforcement officers from around the state of Indiana this week. He hopes this will be the first of many such training sessions that focus on forensic examination of Macs, iPods, and iPhones. Dr. Rogers heads up the Cyber Forensics Lab at Purdue's School of Technology, and has published two papers on iPod forensics as well as authoring a paper on iPhone forensics expected to be published this fall.

"We've been seeing a lot of Macs and iPods being brought to our lab by law enforcement for examination," Dr. Rogers told Ars. "In talking with our partners in local and state police departments, we realized this was a gap in knowledge of forensics experts." This first seminar is an introductory overview, giving forensics officers unfamiliar with Mac OS X a chance to get up to speed with areas to look for when examining a Mac for evidence. "We're opening a few eyes to the Macintosh platform. People are realizing that the interface and the file system are not that different than Windows."

The Cyber Forensics Lab, part of the College of Technology's Department of Computer and Information Technology, has been in operation for four years. In addition to supporting the college's graduate program in Cyber Forensics, the lab is used for research as well as providing assistance and training for local, state, and federal law enforcement officers. Nick Peelman, a student entering the Cyber Forensics masters program in the fall, told us that the Apple's products are going to be coming across forensic investigator's desks more often. "It's going to be exploding in the next few years," he said. "As the market share increases, the probability of people using them for bad stuff is going to go up. We should do what we can to help prepare law enforcement."

Performing forensics on Macs isn't easy, though. With regular major updates to hardware and the OS, it can be difficult for officers with a busy caseload to keep up. And the necessary tools aren't always easy to work with. "We have a grad student that examined a Windows-based tool and found its handling of HFS+ filesystems to be surprisingly poor," says Dr. Rogers. In addition, he says, "The state of Mac-based computer forensic tools is quite immature. I've been in the field for 20 years, and Mac tools are about where Windows tools were about 10 years ago."

Dr. Rogers and his team are starting to work with developers of various tools. "Many of the tools are just too 'geeky' for many of the investigators to use effectively," he said. "We're giving developers feedback, letting them know what works and what doesn't. We might tell them, 'It would be better if a user could see the data this way.'" Peelman adds, "I would like to see some more open source tools on the Mac side as well."

In the meantime, the Cyber Forensics Lab will continue increasing awareness of Macs and Mac OS X for forensic investigators and publishing information about forensic examination of Apple's products. Dr. Rogers noted that interest in Mac forensics training is at an all-time high, and plans to offer an advanced training course starting this fall.